File name:

2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber

Full analysis: https://app.any.run/tasks/d7a8dd2c-86c8-4634-b348-6dc1099dd5b0
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 21:47:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sality
sainbox
rat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

012E3C8434E70251FB073C54BED93CF0

SHA1:

1CAE0BE97238B9D8754220C87620624E8988988F

SHA256:

DC786BE41075FAEBF9275607CCBE4549AD171994E687EDA86A2723E14FF3658A

SSDEEP:

49152:vUWA3vk77+tW2BYoSfS8pCWb0M8EtBkRmsa+qrQs2km9S5yKxeOmKIn5SlFP1CZW:vU/jtW2B2b0M8EtGRy+YQum9SpWSiPns

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes Security Center notification settings

      • 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exe (PID: 7448)

    • SALITY mutex has been found

      • 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exe (PID: 7448)

    • UAC/LUA settings modification

      • 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exe (PID: 7448)

    • SAINBOX has been detected

      • 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exe (PID: 7448)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • The sample compiled with chinese language support

      • 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exe (PID: 7448)

    • Checks supported languages

      • 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exe (PID: 7448)

    • Reads the computer name

      • 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exe (PID: 7448)

    • Checks proxy server information

      • slui.exe (PID: 7916)

    • Reads the software policy settings

      • slui.exe (PID: 7916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:06:06 08:23:12+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 57344
InitializedDataSize: 82656
UninitializedDataSize: -
EntryPoint: 0x570d0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
CompanyName: -
FileDescription: HpglPrint Microsoft 基础类应用程序
FileVersion: 1, 0, 0, 1
InternalName: HpglPrint
LegalCopyright: 版权所有 (C) 2009
LegalTrademarks: -
OriginalFileName: HpglPrint.EXE
ProductName: HpglPrint 应用程序
ProductVersion: 1, 0, 0, 1
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SALITY 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7448"C:\Users\admin\Desktop\2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exe" C:\Users\admin\Desktop\2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
HpglPrint Microsoft 基础类应用程序
Exit code:
255
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7916C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 568
Read events
3 543
Write events
25
Delete events
0

Modification events

(PID) Process:(7448) 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusOverride
Value:
1
(PID) Process:(7448) 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:AntiVirusDisableNotify
Value:
1
(PID) Process:(7448) 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallDisableNotify
Value:
1
(PID) Process:(7448) 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:FirewallOverride
Value:
1
(PID) Process:(7448) 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UpdatesDisableNotify
Value:
1
(PID) Process:(7448) 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:writeName:UacDisableNotify
Value:
1
(PID) Process:(7448) 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:AntiVirusOverride
Value:
1
(PID) Process:(7448) 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:AntiVirusDisableNotify
Value:
1
(PID) Process:(7448) 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:FirewallDisableNotify
Value:
1
(PID) Process:(7448) 2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc
Operation:writeName:FirewallOverride
Value:
1
Executable files
0
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
74482025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber.exeC:\Windows\system.inibinary
MD5:846AD3AE96BD566EF29C8005BDAB0AB7
SHA256:C982EF22C39F65DAC34068C41A1A7A1225F17378EBFCD289369811604B95B468
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
38
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7716
SIHClient.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7716
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7716
SIHClient.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7716
SIHClient.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7716
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7716
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7716
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7716
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7716
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7716
SIHClient.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
7716
SIHClient.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
7716
SIHClient.exe
40.69.42.241:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7304
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.76
  • 40.126.32.140
  • 20.190.160.17
  • 20.190.160.131
  • 20.190.160.66
  • 20.190.160.132
  • 40.126.32.134
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_012e3c8434e70251fb073c54bed93cf0_elex_magniber